Cross-site Scripting (XSS) - Stored in tsolucio/corebos


Reported on

Dec 12th 2021


Stored XSS via File upload with format .xml in Product module. When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary JavaScript code that was injected into attachment before.

Proof of Concept

<?xml version="1.0"?>
<html:html xmlns:html=''>

Steps To Reproduce

1.After login, navigate Inventory -> Product and create/edit any product.
2.While editing a product, upload a malicious XML file in product image.
3.Click Choose file and choose the XSS.xml and then click Save.
4.After uploading successfully, copy the link of the image and open it in a new tab.

The XSS will trigger when the attachment is opened in a new tab.

Video POC


The link to the image will look like this:


This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago
Devendra Bhatla modified the report
2 years ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago
Joe Bordes validated this vulnerability 2 years ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed in 8.0 with commit f7c848 2 years ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

Devendra Bhatla
2 years ago


@chau Minh Khanh, Please have some shame, there is no content which i have copied, dont have some better job, come to india i will give give you a great job here. People like you are shame on society, whose job is to just comment here and there with no job.

to join this conversation